PDPA Policy
1. Introduction
This policy shall cover the S3 Group of Companies (“S3”), wholly owned subsidiaries or subsidiaries, or companies related to S3 Group of Companies.
This Policy shall be known as S3 Data Protection Policy (“S3 DPP”) and in essence shall set out the principles in compliance with the Law of Malaysia, Act 709 Personal Data Protection Act 2010 to protect the rights of staff, customers, stakeholders and partners of S3 Group of Companies from the risk of data breaches.
2. Scope
This policy shall apply to:
- S3 Chemicals Sdn Bhd, all subsidiaries and related Companies of S3 Chemicals Sdn Bhd (“S3 Group of Companies”)
- All staffs of S3 Group of Companies
- All customers, suppliers and other people whom S3 may engage from time to time
This shall apply to all data holds relating to an identifiable individual, which may include name, NRIC number, email address, date of birth, telephone number etc. This policy shall protect S3 from breaches of confidentiality, failing to offer choice of how the data is to be used and how S3 may suffer in the event such data are hacked.
The following people/officer shall have their own key area of responsibility:
- The Board of Directors is ultimately responsible for ensuring S3 meets its legal obligation in the protection of data and to use such data responsibly.
- The Data Protection Officer named by the Board is responsible for the followings:
- Keeping the Board updated about data protection responsibilities, risk and issues
- Reviewing all data protection procedures and related policies, in line with the current law
- Handling data protection questions from all staff and anyone else covered by this policy
- Dealing with requests from individual to see, review, amend and remove the data holds by S3
- Checking and approving any contracts or agreements with third parties that may involve individual data
- Ensuring all system, services and equipment used for data storage meet acceptable security standards
- Perform regular checks to ensure security hardware and software is functioning properly
- Evaluate any third-party services to S3 using to store, process data like Cloud computing services, if any
- Where necessary working with other staff to ensure marketing initiatives abide by data protection principles.
3. General Staff Guidelines
- The only people able to access data covered by this policy should be those who need it for their work.
- Data should not be stored at a general location or storage, there must be only accessible by the intended person.
- The Data Protection Officer/Head of Department should train employees from time to time to help them understand and handle such data responsibly.
- Personal data must not be disclosed to unauthorized people within or outside the Company.
- Data should be regularly reviewed and updated if it is found to be out of date and should be deleted or disposed responsibly when it is no longer required.
- Employee must request help from Data Protection Officer/ Head of Department if they unsure about any aspect of data protection.
4. Data Storage and Housekeeping
This rule shall prescribe how and where data held by S3 should be safely stored.
When the data is stored on paper, it should be kept in a secure place where unauthorized personnel cannot have access to it. This rule shall apply where data is usually stored electronically but has been printed out for some reason.
Therefore,
- When not required, the paper or files should be kept in a designated drawer or filing cabinet.
- Employees should make sure they are not left where unauthorized personnel can access it.
- Data print out should be shredded or disposed securely when no longer required.
Where data is stored electronically, it must be protected from unauthorized access, accidental deletion and malicious hacking attempts,
- Access to data should be protected by strong password
- Data should only be stored in designated drives and servers and should only be uploaded to an approved cloud computing service if the Company opted for off-site storage, if any.
- Data should be backed up periodically
- Data should never be saved directly to personal laptops, handphone, etc.
- All computers or servers containing data shall be properly protected by approved security software or firewall
5. Data Retention
Any Personal Data provided is retained for as long as the purposes for which the Personal Data was collected continues; the Personal Data is then deleted from the system in the event that such Data is no longer required for the said purposes unless its further retention is required to satisfy a longer retention period to meet our operational, legal, regulatory, tax or accounting requirements.
6. Data Usage
Personal Data is no value to S3 unless S3 can make use of it. It is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft.
Therefore, when working with the data employees must ensure,
- The screen of the computer is always locked when left unattended
- Data should not be shared informally or be sent by email or stored in private media for other purposes
7. Data Accuracy
The Law requires the Company to take reasonable steps to ensure data is kept accurate and up to date. It is the responsibility of the employees who work with data to ensure it is kept as accurate as possible. Therefore, they should be updated as soon as requested.
8. Conclusion
S3 must ensure that individuals are aware that their data is being stored, process and they understand how their data is being used and they know their rights to their own data. S3 shall ensure the usage of data is in line with the relevant law and also it’s in line with how the data is to be used as intended.